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DETAILED ACTION 



1. 



The response and IDS of 4/14/2008 were received and considered. 



2. 



Claims 3-14 are pending. 



Response to Arguments 



3. 



Applicant's arguments with respect to claims 3-4 have been considered but are moot in 



view of the new ground(s) of rejection. 



4. 



Applicant's response cancels claims 1-2 and adds new claims 3-14. The application of 



the newly-cited Dutta reference, in combination with the other applied references, is given 
below. 



5. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this 
or a foreign country, before the invention thereof by the applicant for a patent. 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 



States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 3, 5 & 7-8 are rejected under 35 U.S.C. 102(a)/102(e) as being anticipated by 
U.S. Patent Application Publication 2003/0093667 to Dutta et al. (Dutta). 

Regarding claim 3, Dutta discloses a method of provisioning a first token (PTD, Tf57) 
having a first secret (private key, \51\ comprising sending a request for a certificate (redemption 



Claim Rejections - 35 USC § 102 
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step requests RVO, Fig. 4, step C), receiving a certificate (Take ticket) that contains a second 
secret (RVO, 1J63) encrypted with a public key of the token (RVO encrypting with TPDPuK, 
Fig. 4, step D), the second secret (RVO) distinct from the first secret (RVO is not the same as the 
private key of the PTD), decrypting the second secret with a private key of the token (decryption 
is not explicitly shown, however, it is inherent as the RVO is used by the PTD to generate the 
RVT/pseudo-random sequence, 1J63 & 1f67, and the RVO is received in encrypted form, Fig. 4, 
step D & Tf67) and generating a one time password (RVT) based on the second secret (generating 
the RVT/pseudo-random sequence based on the RVO received, Tf63 & lfl|75-76). 

Regarding claim 5, Dutta discloses wherein the second secret (RVO) is a symmetric 
cryptographic key (value used to generate a password/RVT, Tf63). It is noted that a symmetric 
cryptographic key is a data value. 

Regarding claim 7, Dutta discloses wherein the one time password (RVT) based on the 
second secret (RVO) is further based on a signal from a clock (S/P generator also generates RVT 
based on a clock value, 1f67). 

Regarding claim 8, Dutta discloses wherein the one time password based on the second 
secret is further based on a counter value (S/P generator also generates RVT based on a clock 
value, which is a form of counter, ]|67). 

Claim Rejections - 35 USC §103 

7. The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dutta, as applied 
to claim 1 above, in view of U.S. Patent Application Publication 2002/0131592 to Hinnant et al. 
(Hinnant). 

Regarding claim 4, Dutta discloses a system where a personal device, such as a PDA or 
computer, receives a rapid verification object. The RVO is used as a seed, possibly with other 
information, to generate and RVT/pseudo-random sequence which is sent to and verified at 
another device (rapid verification system). Dutta lacks subsequent to receiving the second 
secret, discontinuing generation of one time passwords based on the first secret. However, 
Hinnant teaches that it is well known to generate keys using a pseudorandom number generate 
that is based on a seed fl|8) and that it is also known that, because the seed can be 
recovered/compromised fl[9), it is known to update the seed to maintain the security of the 
pseudorandom sequence flfl 1). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to modify Dutta' s PDT to received updated 
seeds (RVO) and thus generate one time passwords based on a first secret (received seed), in a 
manner as described above, and to received a second secret (updated seed/new RVO), after 
which generation of one time passwords based on the first secret (old seed) is discontinued. One 
of ordinary skill in the art would have been motivated to perform such a modification to avoid 
problems with the RVO being recovered by an attacker by updating the seed/RVO to maintain 
the security of the system, as taught by Hinnant. 
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9. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dutta, as applied 
to claim 1 above, in further view of "Strong Enterprise User Authentication: RSA ACE/Server" 
by RSA Security (RSA). 

Regarding claim 6, Dutta lacks wherein the one time password (RVT, also called the 
pseudo random sequence, Tf67) based on the second secret is further based on a personal 
identification number. However, RSA teaches that the addition of a second factor (PIN) is a 
stronger form of authentication (p. 3, §11, ]fl), where a token code is read from the token and 
entered along with a PIN, where the software hashes the values and submits them for 
authentication (p. 4, 1ffll-2). Therefore, it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to modify Dutta to allow a user to input a PIN to be 
combined with the RVO/seed generated to generate a one time password. One of ordinary skill 
in the art would have been motivated to perform such a modification to gain on of the benefits of 
a second form of authentication, such as increased certainty of authenticity, as taught by RSA. 

10. Claims 9, 1 1 & 13-14 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Dutta in view of U.S. Patent 7,197,072 to Hsu et al. (Hsu). 

Regarding claim 9, Dutta discloses a token (PTD, Fig. 1, #16) for generating one time 
passwords comprising a processor (PTD, Fig. 3, #16, including security element, Fig. 1, #20, 
Fig. 3, #20 and functional element, Fig. 3, #40) and a memory coupled to the processor (Fig. 3, 
#52 & Fig. 3, #62), the memory storing a first secret (stores PTKPrK, Fig. 3, #62) and executing 
the processor to send a message that includes a request for a certificate (redemption step requests 
RVO, Fig. 4, step C), receive a certificate (Take ticket) that contains a second secret (RVO) 



Application/Control Number: 10/782,75 1 Page 6 

Art Unit: 2134 

encrypting with a public key of the token (RVO encrypting with TPDPuK, Fig. 4, step D), 
decrypt the second secret with a private key of the token (decryption is not explicitly shown, 
however, it is inherent as the RVO is used by the PTD to generate the RVT/pseudo-random 
sequence, T|63 & 1J67, and the RVO is received in encrypted form, Fig. 4, step D & Tf67) 5 store the 
second secret in memory (S/P generator stores the RVO, which contains a seed, for generation of 
a pattern/sequence, Fig. 3, #64, ]j46 & 1J63) and generate a one time password (RVT) based on 
the second secret (generating the RVT/pseudo-random sequence based on the RVO received, ^{63 
& lff|75-76). Dutta discloses in ]|68 that the security element comprises a program (computer 
instructions) to perform its actions, but lacks explicitly that the functional element processor 
includes token instructions for execution on the processor to perform the functions of the 
functional element. However, Hsu teaches where a processor can be an application specific 
processor or a general-purpose computer executing software instructions (col. 4, lines 19-26) 
where the general-purpose hardware with software solution provides more upgradeability and 
lower cost than dedicated hardware (col. 16, line 16 - col. 17, line 5). Therefore, it would have 
been obvious to one having ordinary skill in the art at the time the invention was made to modify 
Dutta to explicitly include token instructions adapted to be executed by the processor to perform 
the sending, receiving, decrypting, storing and generating steps. One of ordinary skill in the art 
would have been motivated to perform such a modification to gain the benefits of upgradeability 
and lower cots, as taught by Hsu. 

Regarding claim 11, Dutta discloses wherein the second secret (RVO) is a symmetric 
cryptographic key (value used to generate a password/RVT, Tf63). It is noted that a symmetric 
cryptographic key is a data value. 
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Regarding claim 13, Dutta discloses wherein the one time password based on the second 
secret is further based on a signal from a clock (S/P generator also generates RVT based on a 
clock value, Tf67). 

Regarding claim 14, Dutta discloses wherein the one time password based on the second 
secret is further based on a counter value (S/P generator also generates RVT based on a clock 
value, which is a form of counter, Tf67). 

1 1 . Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dutta and Hsu, 
as applied to claim 9 above, in further view of Hinnant. 

Regarding claim 10, Dutta discloses a system where a personal device, such as a PDA or 
computer, receives a rapid verification object. The RVO is used as a seed, possibly with other 
information, to generate and RVT/pseudo-random sequence which is sent to and verified at 
another device (rapid verification system). Dutta lacks subsequent to receiving the second 
secret, discontinuing generation of one time passwords based on the first secret. However, 
Hinnant teaches that it is well known to generate keys using a pseudorandom number generate 
that is based on a seed fl|8) and that it is also known that, because the seed can be 
recovered/compromised fl|9), it is known to update the seed to maintain the security of the 
pseudorandom sequence flfl 1). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to modify Dutta' s PDT to received updated 
seeds (RVO) and thus generate one time passwords based on a first secret (received seed), in a 
manner as described above, and to received a second secret (updated seed/new RVO), after 
which generation of one time passwords based on the first secret (old seed) is discontinued. One 
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of ordinary skill in the art would have been motivated to perform such a modification to avoid 
problems with the RVO being recovered by an attacker by updating the seed/RVO to maintain 
the security of the system, as taught by Hinnant. 

12. Claim 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dutta and Hsu, 
as applied to claim 9 above, in further view of RSA. 

Regarding claim 12, Dutta lacks wherein the one time password (RVT, also called the 
pseudo random sequence, 1J67) based on the second secret is further based on a personal 
identification number. However, RSA teaches that the addition of a second factor (PIN) is a 
stronger form of authentication (p. 3, §11, ]fl), where a token code is read from the token and 
entered along with a PIN, where the software hashes the values and submits them for 
authentication (p. 4, ffi|l-2). Therefore, it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to modify Dutta to allow a user to input a PIN to a 
to the PTD (1J29) to be combined with the RVO/seed generated to generate a one time password. 
One of ordinary skill in the art would have been motivated to perform such a modification to 
gain on of the benefits of a second form of authentication, such as increased certainty of 
authenticity, as taught by RSA. 

Conclusion 

1 3 . Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL J. SIMITOSKI whose telephone number is (571)272- 
3841 . The examiner can normally be reached on Monday - Thursday, 6:45 a.m. -4:15 p.m.. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Kambiz Zand can be reached on (571) 272-381 1. The fax phone number for the 

organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



July 23,2008 

/Michael J Simitoski/ 

Primary Examiner, Art Unit 2134 
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